This disclosure relates to tunneling and security provisioning.
The prevalence and accessibility of computer networks requires security measures to protect valuable information. An enterprise, for example, can implement such security measures by use of a layered security system. Such a layered security system can be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system can also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer device within the enterprise, content filtering software, content monitoring software, etc.
However, such layered security systems are prone to processing inefficiencies and can require many resources within the enterprise to maintain the systems. The use of an “in-the-cloud” distributed security system that provides security services external to a network edge of an enterprise can overcome many of these processing inefficiencies. One example of such a system is the Global Cloud Infrastructure provided by Zscaler, Inc., of Sunnyvale, Calif.
In such a distributed security system, an enterprise can transmit data to and receive data from the distributed security system by use of tunneling technologies. A tunneling protocol enables one network protocol (the delivery protocol) to encapsulate packet that conform to a payload protocol to carry a payload over an incompatible delivery network, or can provide a secure path through an open network. Example tunneling technologies include generic routing encapsulation (GRE), layer two tunneling protocol (L2TP), point-to-point tunneling protocol (PPTP) or IPSec protocols may be used. Virtual private network (VPN) routers and VPN concentrators can be used to achieve the traffic redirection for tunneling.
The use of tunneling, however, presents the enterprise and the security provider with specific challenges and problems. One problem is that each enterprise has at least one logically independent internet protocol (IP) sub-network. As a result, an end device in a first independent IP sub-network for a first enterprise may have the same IP address as an end device in a second independent IP sub-network for a second enterprise. When the IP data packets are sent from the devices are encapsulated in respective tunnels to the security provider, the tunnel traffic from each enterprise can be readily identified by a tunnel identifier, e.g., the respective IP addresses of the edge routers of each enterprise. However, when the encapsulated packets are decapsulated from the GRE packet, the packets may have the same source IP address and source port. Furthermore, when the packets are being sent to the same external end device, e.g., a search engine server, for example, the destination IP addresses can also be the same, as can the port numbers. Thus, in some cases, the packets from the respective end devices in each enterprise, after decapsulation, can have the same addressing information, resulting in addressing ambiguity.